Check out some similar questions!

lamapalestine · Mar 27, 2008, 03:45 AM

Dear

How I can disable usb memory stick in my company . I won't do that on network level not on user level

Can I do that in isa 2006??

Please advice

Curlyben · Mar 27, 2008, 03:46 AM

You can use GPO to do this, BUT it would mean disabling USB connections completely.
The knock on of this would be NO USB Keyboards or mice.

lamapalestine · Mar 27, 2008, 05:18 AM

I don't found it in GPO

Please clarify

NeedKarma · Mar 27, 2008, 05:33 AM

My IT boys have been looking for a way to do this for a while. I don't think it is currently possible in a Windows world though I believe a future add-on is coming to deal with that.

Curlyben · Mar 27, 2008, 05:48 AM

I know you can do it at a machine level by changing the default hardware profile.
As for using GPO it is possible with 2003 enterprise server, pain in the bottom to find though.

chuckhole · Mar 28, 2008, 08:00 AM

You can perform this with a GPO and it would NOT disable all other USB devices. By setting the permissions on each local PC to three files:

Set DENY Permissions for Domain Users to:
%SYSTEMROOT%\INF\USBSTOR.INF
%SYSTEMROOT%\INF\USBSTOR.PNF
%SYSTEMROOT%\SYSTEM32\DRIVERS\USBSTOR.SYS

This will have to be added to the Security templates in the Machine part of the GPO.

By denying permissions to these files, the user will not be able run the USB Mass Storage Driver. This will effect ANY storage device connected by USB.

michealb · Mar 28, 2008, 09:49 AM

On my small network clients I use a program called ScriptLogic. It basically a graphical gpo editor but its very easy to use and lets you set lots of things that you wouldn't even have thought to set through GPO, including no allowing usb drives.

NeedKarma · Mar 28, 2008, 10:11 AM

Thanks Michael,
I dug into their site and found this: Desktop Authority® - Patch Management - ScriptLogic

Info has been forwarded to my IT guys.

NeedKarma · Mar 28, 2008, 10:43 AM

Added complication: just spoke with them and I see why they haven't implemented anything yet. Disabling all USB ports would be disastrous since many devices use them: mice, cameras, printers, keyboards. Apparently they are testing a solution that is device-aware. If I find out what that is I'll let you know.

michealb · Mar 28, 2008, 11:14 AM

Scriptlogic is device aware. The amount of stuff you can configure with a few mouse clicks is pretty neat and for small offices the overhead that it cuts in administration time is definitely worth the price.

NeedKarma · Mar 28, 2008, 11:23 AM

It seems that way: http://www.scriptlogic.com/products/...t_Security.pdf

It would certainly require testing. Thanks again michealb.

chuckhole · Apr 1, 2008, 12:01 PM

ScriptLogic is a fantastic product. The down side for us is that there is a price tag associated with it and I have been able to perform many of the things we need to do with VBScript and GPO's. If I had my choice, ScriptLogic would be in use here as well.

The answer I provided has been in production here for 5 years. There have been no complications with any other devices. It disables the Mass Storage device drivers ONLY.

kickarse · Apr 1, 2008, 01:19 PM

I agree completely with Chuckhole. Scriptlogic has nice products but can get expensive. Especially for something that is as simple a fix as a reg hack and gpo security setting.

lamapalestine · Apr 7, 2008, 04:17 AM

Thanks a lot dear I will try it.

kickarse · May 1, 2008, 09:55 AM

I just tested the procedure that Chuckhole offered and it didn't work in my environment. Nor did renaming the files because they just get recreated (or at least the .sys file did and that's really the one that matters). The INF, PNF, SYS files are cached somewhere else. Even a reboot didn't affect access.

The other way, the one that worked, is to do it by denying access to the registry key
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR

and the string that really affects it is below
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

You can test this by editing the string value to USBSTOR.SY_

This method allows access to USB devices such as printers, keyboards, mice and other human input devices and peripherals.

AnthonyToby · Jul 29, 2008, 06:41 AM

+1 to scriptlogic's tool.
We've been using this desktop authority for some years and have been very happy with it.
We used altiris management suite before and we were fully disappointed with their features and uncountable bugs. A
S for desktop authority - it works well for us and it was priced lower (that is also very important).
We successfully configured usb security - we blocked only particular devces like usb sticks and mp3 players for some particular users and groups of users. With desktop authority we were able to do more too.
Now we manage outlook profiles, drive and printer mappings, desktops configuration, patch and software deployment.
It fully replaced all handwritten scripts and other tools that we used before for such purposes.

intel_iit · Mar 30, 2009, 12:41 AM

Don't make such hassles. Just go forward and download the best software for such a task.
It is uHook 2.1 and its awesome ! Because it selectively allows/blocks access to required USB device.
Download it from Dataresolve Technologies - End Point Data Loss Prevention and from my experience it delivers exactly what is claims.
Using it you can also password protect and enable and disable your USB data transfers when required and even keep them under check.
It gives other companies a run for their product because uHook is an excellently built product.